Remote Syslog

Overview

Use Remote Syslog to forward appliance event log messages to one or two external syslog receivers. The workflow controls the primary destination, optional second destination, destination ports, and one-time test message delivery.

The same settings are available from the CLI through:

config system syslog
show system syslog

Typical Uses

Use this topic when appliance events should be collected by a central syslog server, SIEM, or operational logging system.

Typical examples:

Show remote syslog settings:  show system syslog
Display from config:          config system syslog
Enable primary syslog:
  config system syslog enable_server true server 10.0.0.60 port 514
Enable primary and backup syslog:
  config system syslog enable_server true server 10.0.0.60 port 514 enable_backup_server true backup_server 10.0.0.61 backup_port 514
Send a test message:
  config system syslog enable_server true server 10.0.0.60 port 5514 send_test_message true test_message "remote syslog test"

Prerequisites

• Confirm that you have administrator permission to change system settings.
• Record the current settings with show system syslog.
• Confirm the primary syslog receiver address and UDP port.
• Confirm the second syslog receiver address and UDP port if backup forwarding is required.
• Confirm firewall, ACL, and routing rules from the appliance to each receiver.
• Confirm that each syslog receiver is listening before sending a test message.
• Use an unprivileged UDP port, such as 5514, when testing with a temporary receiver that is not running with elevated privileges.
• Use quotes for values that contain spaces.

Workflow

1. Open System Settings.
2. Choose Remote Syslog.
3. Review Enable Remote Syslog, Remote Syslog Address, and Remote Syslog Port.
4. Configure Enable 2nd Remote Syslog Address, 2nd Remote Syslog Address, and 2nd Remote Syslog Port when a second receiver should receive the same events.
5. Enable Send Test Message and enter Test Message when you need to validate delivery.
6. Apply the workflow.
7. Verify the saved settings in the web view or with show system syslog.

Expected Behavior

The workflow displays the current remote syslog settings and applies selected changes to the saved event delivery configuration.

Remote syslog delivery is handled by l01_evlogd. When an event is eligible for remote delivery, l01_evlogd sends it to each enabled syslog destination. The workflow configures the event filter to forward info, warning, and error events.

When Send Test Message is enabled, the workflow validates the enabled destinations and sends Test Message to each enabled syslog server before committing the settings. The workflow log includes the target server, port, and message for each test send, then records the settings update.

The expected log sequence for a test run is:

Send test message to syslog server server=<server> port=<port> message="<message>"
Test message sent to remote syslog server server=<server> port=<port> message="<message>"
Change remote Syslog settings...
Remote syslog settings are updated
Task execution completed

Send Test Message and Test Message are one-time workflow inputs. They are not persistent remote syslog settings.

In The Web UI

Review Remote Syslog Settings

1. Open System Settings.
2. Choose Remote Syslog.
3. Review Enable Remote Syslog, Remote Syslog Address, and Remote Syslog Port.
4. Review the second destination fields if backup forwarding is configured.
5. Apply no changes if you only need to inspect the current settings.

Configure Primary Remote Syslog

1. Set Enable Remote Syslog.
2. Enter Remote Syslog Address.
3. Set Remote Syslog Port.
4. Apply the workflow.
5. Verify the saved settings with show system syslog.

Configure The Second Remote Syslog Destination

1. Set Enable 2nd Remote Syslog Address.
2. Enter 2nd Remote Syslog Address.
3. Set 2nd Remote Syslog Port.
4. Apply the workflow.
5. Verify the saved settings with show system syslog.

Send A Test Message

1. Configure and enable at least one remote syslog destination.
2. Set Send Test Message.
3. Enter a clear Test Message, such as remote syslog test from 01Layer.
4. Apply the workflow.
5. Confirm that the syslog receiver receives the test message.
6. Review the workflow log for the target server, port, and message.

Check From The CLI

Use either command below to display the current remote syslog settings:

config system syslog
show system syslog

The config form without additional fields is display-only. It does not modify the configuration.

CLI Help Reference

Display the remote syslog fields:

config system syslog ?

Expected fields:

<Enter>              - Display current settings
enable_server        - Enable remote syslog service
server               - Remote syslog server address
port                 - Remote syslog server port
enable_backup_server - Enable second remote syslog server
backup_server        - Second remote syslog server address
backup_port          - Second remote syslog server port
send_test_message    - Send a one-time test message
test_message         - Test message to remote Syslog server

Change From The CLI

Enable the primary remote syslog destination:

config system syslog enable_server true server 10.0.0.60 port 514

Enable a primary destination on an unprivileged test port:

config system syslog enable_server true server 10.0.0.60 port 5514

Enable both primary and second destinations:

config system syslog enable_server true server 10.0.0.60 port 514 enable_backup_server true backup_server 10.0.0.61 backup_port 514

Send a one-time test message to the enabled destination:

config system syslog enable_server true server 10.0.0.60 port 5514 send_test_message true test_message "remote syslog test from 01Layer"

Disable remote syslog delivery while retaining saved addresses and ports:

config system syslog enable_server false enable_backup_server false

Field Reference

Confirmation And Rollback

Applying the workflow saves the remote syslog configuration. To roll back, reapply the previous values recorded from show system syslog.

If test message delivery is enabled, at least one remote syslog destination must also be enabled. If no destination is enabled, the workflow reports an error instead of sending the test message.

To disable remote syslog delivery without deleting saved destination settings:

config system syslog enable_server false enable_backup_server false

Notes

• Remote syslog delivery is handled by l01_evlogd.
• The workflow stores remote syslog settings in the event delivery configuration used by l01_evlogd.
• send_test_message and test_message are action inputs. They are used during the workflow run and are not persistent settings.
• The standard syslog port is 514. Temporary test receivers commonly use an unprivileged UDP port such as 5514.
• Both enabled destinations receive forwarded events.

Troubleshooting

Syslog Receiver Does Not See Events

Verify enable_server, server, and port. Confirm that the receiver is listening on UDP, that the appliance can route to it, and that firewall or ACL rules permit traffic from the appliance.

Test Message Is Not Received

Confirm that send_test_message is true for the workflow run and that at least one destination is enabled. Verify the target server and port in the workflow log. If using a temporary receiver, bind it to an unprivileged UDP port that is reachable from the appliance.

Backup Receiver Does Not See Events

Verify enable_backup_server, backup_server, and backup_port. The second destination is independent of the primary destination and must be enabled separately.

The Syslog Command Is Not Listed

Use config system ? and look for syslog. The command path is config system syslog.

Related Tasks

Use SNMP and Trap Service when event forwarding should use SNMP traps. Use Device Management Access ACL to control which clients can reach the management plane. Use System Access Methods to configure SSH, HTTP, and HTTPS management access.